[Solved] Nextcloud 24 The “Strict-Transport-Security” HTTP header is not set to at least “15552000”

javito · October 3, 2022, 4:55pm

Iv been going cracy trying to resolve this issue, tried everything i have found on the internet set it to 15752000, invert the order on which the is set, add ; preloadat the end of Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains", but nothing works, the same msg still shows up on my nextcloud, has anyone been able to fix this?

this is my ssl apache config looks like on the section im suppose to put that, im using ubuntu server 20.04, php 8.1 and apache2:

        DocumentRoot /var/www/nextcloud


        <IfModule mod_headers.C>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

        <Directory /var/www/nextcloud/>
                AllowOverride All
        </Directory>

nc1215 · October 4, 2022, 2:55am

I did this a long time ago but I believe that I got rid of the message by using a value greater than 15752000

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    Header set Referrer-Policy "no-referrer"
</IfModule>

and I cannot recall why I used 15768000, probably something I found on this forum or the Internet…

javito · October 4, 2022, 3:35am

i was so exited to try ur solution to see if it was finally gonna solve my issue, it did, it solved it, but not by putting the entire thing u wrote, but i notice ur <IfModule mod_headers.c> was using a non capital C at the end, i did that i replaced my capital C for a regular c and voalah! problem solved, didnt even change the max age number, left everything untouched lol… cant belive i spent so much time looking for a solution and it was just a stupid letter -.-, anyways tyvm for ur tip

nc1215 · October 4, 2022, 12:00pm

Glad to help … even if it was by accident!!

tembares · July 19, 2024, 4:07pm

Hi,
I went crazy about the error myself, too

I added

Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" Header set Referrer-Policy "no-referrer"

to .htaccess, but I still receive the message.

Now I have a .htaccess

under /var/www/html AND
under /var/www/html/nextcloud.

The first htaccess is quiet short.

<IfModule mod_headers.c>

is not mentioned already.
In the second one,

<IfModule mod_headers.c>

is there already, but the

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains; preload”
Header set Referrer-Policy “no-referrer”
is not included.

Questions:

in which one do I need to add it?
how to add the two Header lines in the second htaccess

Start of .htaccess of the second file:

<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization “(.+)” HTTP_AUTHORIZATION=$1
</IfModule>
<IfModule mod_lsapi.c>
SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>

<IfModule mod_env.c>
Don’t worry about the spacing